6

GitHub’s response to Log4j vulnerability CVE-2021-44228

 2 years ago
source link: https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

github-security_orange-banner.png?fit=1200%2C630

December 13, 2021

GitHub’s response to Log4j vulnerability CVE-2021-44228

On Thursday, December 9, 2021, GitHub was made aware of a vulnerability in the Log4j logging framework, CVE-2021-44228. We immediately initiated our incident response process to determine our usage of this framework and its impact across GitHub, our products, and our infrastructure. To assist the community in identifying their usage of the vulnerable Log4j library, we also issued a GitHub Security Advisory and Dependabot alerts containing general vulnerability details.

This post summarizes the results of our investigation to date and our recommended next steps for customers.

GitHub Enterprise Server

In GitHub Enterprise Server’s recommended configuration, CVE-2021-44228 is only exposed to authenticated users. If an instance has been configured to not use private mode, this vulnerability may also be exposed to unauthenticated users. Customers should consider immediately taking one of two steps below to secure their instances of GitHub Enterprise Server.

  1. Upgrade to a new version of GitHub Enterprise Server that contains changes to mitigate the Log4j vulnerability. The new releases that mitigate this vulnerability are 3.3.1, 3.2.6, 3.1.14, and 3.0.22.
  2. Upgrade an existing GitHub Enterprise Server instance to the latest patch release with a hotpatch by following our hotpatch instructions. This method will allow the instance to be upgraded without a maintenance window.

GitHub.com and GitHub Enterprise Cloud

Following the public vulnerability disclosure, we took immediate action on the evening of Friday, December 10 to begin mitigating any impact to GitHub.com and GitHub Enterprise Cloud. We reviewed telemetry and deployed additional monitoring, neither of which have detected any successful exploitation at this time. We continue to monitor the situation for any new developments. No action by users of GitHub.com or GitHub Enterprise Cloud is required in order to continue safely using GitHub.com.

Conclusion

We are continuing to investigate our exposure to this vulnerability and will provide further updates if any new risk to our users or our products is identified.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK